Skip to main content

2 posts tagged with "compliance"

View All Tags
MissedComplianceMITM / replayUX / messaging

GeoLocs / mkodo — Casumo Casino (QC/ON border): KYC bypass with fake Quebec address; Ontario licence suspended May 14

GeoLocsCasumo Casino
geolocsmkodocasumoontarioquebec

Source. June 23, 2026 weekly sync.
Ticket. CIV-55: mkodo / GeoLocs — full validation.

What we tested

Full validation of mkodo's GeoLocs product via Casumo Casino, tested from the Quebec side of the Ontario–Quebec border. Casumo's Ontario licence was suspended May 14 — relevant context for the operating posture during testing.

What happened

Compliance gaps

  • KYC bypassed with fake Quebec addressOntario ID and Ontario billing address both accepted; $10 deposit completed despite contradictory jurisdiction documentation.

Blocks / working detections

  • Ontario users correctly blocked from registering in-province.
  • ⚠️ DevTools intermittently detected on Mac.
  • Hardware locale evaluation — Canadian-purchased iPhone shown a maintenance page (US iPhone worked — likely device locale detection).

UX issues

  • Games failed to load across all platforms and scenarios under normal conditions — app largely non-functional in QC.

Why it matters

The KYC bypass is a direct regulatory exposure independent of geolocation accuracy: fabricated Quebec credentials plus contradictory Ontario documentation still produced a funded account. The Quebec gaming failures mean the platform is effectively unusable in that territory today — but the KYC gap would matter on any functional deployment path.

Cross-reference

GeoLocs profile → · June 23 weekly sync →

MissedComplianceProxy

Locance (LocationSmart) Ontario: real-money deposit with no identity check + detection rules exposed in API

locancelocationsmartontariocompliancekyc

Source. June 2, 2026 weekly sync.
Ticket. CIV-53: Locance (LocationSmart) Ontario — compliance and security gaps.

What we tested

Locance (LocationSmart), a geolocation provider active in Ontario. Two angles: the account-onboarding and deposit flow, and the content of the API response when connecting from outside the jurisdiction.

What happened

  • No identity / location verification. A tester completed account registration and a real-money Interac deposit without ever being asked to verify identity or location — a step that should be mandatory under Ontario iGaming compliance rules.
  • Detection logic exposed in plain text. Connecting from a Singapore IP, the API response visibly named the exact detection rules that were triggered — e.g. IP proxy detected, IP hosting provider.

Why it matters

Two distinct problems on one provider:

  1. The identity-verification gap is a direct compliance failure. Completing a real-money deposit with no KYC step is a regulator-facing defect under Ontario rules.
  2. The exposed detection logic is a security weakness. Any technically sophisticated fraudster intercepting the response learns precisely which rules they need to evade, and can tune their attack accordingly.

Both findings are relevant for competitive positioning against operators considering Locance.

Cross-reference

Locance profile → · June 2 weekly sync →